1. Field of the Invention
The present invention relates to cryptographic systems, and more particularly, to a method and apparatus for performing high speed computations of a value used in execution of the Montgomery algorithm for an arbitrary modulus size.
2. Description of Related Art
Cryptographic systems are commonly used to restrict unauthorized access to messages communicated over otherwise insecure channels. In general, cryptographic systems use a unique key, such as a series of numbers, to control an algorithm used to encrypt a message before it is transmitted over an insecure communication channel to a receiver. The receiver must have access to the same key in order to decode the encrypted message. Thus, it is essential that the key be communicated in advance by the sender to the receiver over a secure channel in order to maintain the security of the cryptographic system; however, secure communication of the key is hampered by the unavailability and expense of secure communication channels. Moreover, the spontaneity of most business communications is impeded by the need to communicate the key in advance.
In view of the difficulty and inconvenience of communicating the key over a secure channel, so-called public key cryptographic systems are proposed in which a key may be communicated over an insecure channel without jeopardizing the security of the system. A public key cryptographic system utilizes a pair of keys in which one is publicly communicated, i.e., the public key, and the other is kept secret by the receiver, i.e., the private key. While the private key is mathematically related to the public key, it is practically impossible to derive the private key from the public key alone. In this way, the public key is used to encrypt a message, and the private key is used to decrypt the message.
Such cryptographic systems often require computation of modular exponentiations. As a representative example, consider an exponentiation of the form y=b.sup.e mod n, in which the base b, exponent e and modulus n are extremely large numbers, e.g., having a length of 1,024 binary digits or bits. If, for example, the exponent e were transmitted as a public key, and the base b and modulus n were known to the receiver in advance, a private key y could be derived by computing the modular exponentiation. It would require such a extremely large amount of computing power and time to factor the private key y from the exponent e without knowledge of the base b and modulus n, that unauthorized access to the decrypted message is virtually precluded as a practical matter.
A drawback of such cryptographic systems is that calculation of the modular exponentiation remains a daunting mathematical task even to an authorized receiver using a high speed computer. With the prevalence of public computer networks used to transmit confidential data for personal, business and governmental purposes, it is anticipated that most computer users will want cryptographic systems to control access to their data. Despite the increased security, the difficulty of the modular exponentiation calculation will substantially drain computer resources and degrade data throughput rates, and thus represents a major impediment to the widespread adoption of commercial cryptographic systems.
One technique in reducing the computations required to perform cryptographic evaluations is to use an algorithm postulated by P. L. Montgomery in "Modular Multiplication without Trial Division," published in the Mathematics of Computation, vol. 48, n. 177, January 1987, pp. 243-264, which is hereby incorporated by reference herein. This algorithm is known as "Montgomery's Method." To perform this algorithm, a Montgomery value defined as 2.sup.2k mod(n) must be computed, where n is the modulus, k is the number of bits representing the n modulus, and the expression A mod(n) denotes the modular reduction of A by n.
One of the more computationally intense calculations performed in determining the Montgomery value is the computation of 2.sup.k+1 mod(n), or the modular reduction of 2.sup.k+1 by n. The number of subtractions required to complete the reduction are a function of both the modulus n and the operand size of the processor, and hence, for a given value of modulus n, a processor size of suitable operand size to reduce the number of required computations can be selected. Unfortunately, cryptographic systems usually require modular reduction capability for arbitrary modulus values, and processors with fixed operand sizes are poorly suited to efficiently compute 2.sup.k+1 mod(n) in such cases.
As is apparent from the above, there is a need in the cryptographic art for an apparatus and method for performing modular reductions and for determining the value of 2.sup.2k mod(n) for arbitrary modulus sizes in conjunction with fixed processor operand capacities. The present invention satisfies that need.